Rina Steenkamp - Privacy and technology

My annotated General Data Protection Regulation

Chapter IV Controller and processor

Section 1 General obligations

Article 28 Documentation

October 2013

Article 28(1)

1. Each controller and processor shall maintain regularly updated documentation necessary to fulfill the requirements laid down in this Regulation.

Article 28(2)

2. In addition, each controller and processor shall maintain documentation of the following information:

Article 28(3)

3. (deleted)

Article 28(4)

4. (deleted)

Article 28(5)

5. (deleted)

Article 28(6)

6. (deleted)

[Source: October 2013]

Recital 65

(65) In order to be able to demonstrate compliance with this Regulation, the controller or processor should maintain the documentation necessary in order to fulfill the requirements laid down in this Regulation. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for evaluating the compliance with this Regulation. However, equal emphasis and significance should be placed on good practice and compliance and not just the completion of documentation.

[Source: October 2013 | Notes: Recitals | Context: Recitals]

January 2012

Explanatory memorandum

3.4. Detailed explanation of the proposal

Article 28 introduces the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the supervisory authority required by Articles 18(1) and 19 of Directive 95/46/EC.

[Source: January 2012 | Context: Proposal from the European Commission]

Article 28(1) [Amended: October 2013]

1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.

Article 28(2) [Amended: October 2013]

2. The documentation shall contain at least the following information:

Article 28(3) [Deleted: October 2013]

3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.

Article 28(4) [Deleted: October 2013]

4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:

Article 28(5) [Deleted: October 2013]

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.

Article 28(6) [Deleted: October 2013]

6. The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

[Source: January 2012 | Context: Proposal from the European Commission]

Recital 65 [Amended: October 2013]

(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.

[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]